The soft underbellies of many of Bermuda's companies -- international and local -- may be exposed in the unprotected telephone access rooms found at the bottom of many office buildings in Hamilton.

Gavin Adams, an electronic security consultant at Ernst & Young in Bermuda, said he could name a couple buildings he has worked in where anyone could get into the rooms.

"We didn't know who was going in there,'' he said. "Some of them were even nicely labelled. Physical security is a misnomer in Bermuda.'' In some of the newer buildings going up the designers seem to have become more aware of potential for breaches in security and have put in protection and access requirements, he said. Others remain open to question.

Building access rooms hold the telephone switching boxes and lines for a building's tenants and through which normally flow all incoming and outgoing voice and data communications. This means access codes, data and voice traffic are exposed to a tap. The criminal can then use the information to hack into computer networks and cause damage.

The corporate world is starting to take real notice that an electronic attack could hurt their daily business. With the rise of the Internet, electronic business and e-mail, vulnerability has increased. Paranoia might be a good thing.

According to PC Magazine (September 1, 1999) the Computer Security Institute estimates corporations lost about $100 million last year because of attacks through the Internet. Last year, corporations had 86.5 "virus encounters'' per 1,000 machines, compared with 62.5 encounters per 1,000 in 1997 according to the International Security Association. Another study by the International Centre for Security Analysis found that 70 percent of Web sites with certified commercial firewalls were vulnerable to attacks due to misconfiguration or improper deployment.

The risks to business are fraud, malicious damage to data, leaks of proprietary information, revenue loss and customer confidence. The public normally doesn't hear about most of the hacking incidents. Corporations, especially banks and others in the financial sector, prefer to hush up electronic break-ins.

The need has arisen for a more active type of security monitoring which goes beyond the traditional firewall strategy, Mr. Adams said. This scaled approach includes the use of what are called "intrusion detection systems'' -- looking for patterns of behaviour and data flow on the network to sniff out suspicious activity.

Companies must also put in place a procedure for tracking changes to the system afterwards as machines are taken out and added. A security policy must be put in place. Physical security -- access to the places where computers and communication equipment are stored -- is just as important as protection of the network data.

It's no good if you have the best server protection around when someone can walk in to the building and tap into the network, or a disgruntled employee can roam into computer spaces where he shouldn't.

"It's not the hackers you have to worry about. Eighty percent of all security incidents happen from within an organisation,'' Mr. Adams said in a talk he gave on the subject. Lax internal security can inadvertently open a network to external attack.

With the increased focus on the protection of communications and computer equipment and networks, the electronic security industry is gearing up for what's seen as a growth area. A survey at a Gartner Group Information Security Conference this summer found 75 percent of those attending reported their organisations plan on increasing spending on securities products and services during the next year.

"The security industry is today where networking was in the 1990s,'' Mr.

Adams said.

Anderson Consulting, Deloitte Consulting, Ernst & Young and IBM are among others in the industry rushing to fill the demand. IBM has an Internet Emergency Response Service, which for $37,000 year, provides protection and recovery during and after a hack.

Ernst & Young has 400 securities staff in North America devoted to what it calls its eSecurity Solutions practice. The practice was launched in 1997.

Prior to that electronic security was handled in a less co-ordinated way.

Mr. Adams was brought here to build up Ernst & Young's electronic commerce and securities consulting division in Bermuda. He states the new corporate thinking and sales approach.

"Companies are being viewed as pieces of information with processes behind them,'' Mr. Adams said in describing the information age corporation.

"Information is the life blood of a company.'' There can never be a guarantee of full security. Procedures range from passwords to electronic cards, and putting in place a security policy on what employees can do on the network or Internet.

"You have to strike a balance between the hassle and the risks,'' he said.

"Users need to use the system. You should also not spend more money than the information is worth.'' A full analysis of a company's electronic network can take anywhere from three to six months depending on the scale of the operations. External business partners must also be monitored and asked to follow certain practices.

"Hackers exploit trusted relationships between suppliers,'' he said. The period is often used to let the company get back to "normal'' practices so as to better analyse and test the system. One such early test is to ring all of a company's phone numbers to find out where all the modems are located.

Mr. Adams has turned up an odd one or two a company may not have known about.

Then an "attack and penetration'' assault is launched on the company to find weak spots. A full management system must also be put in place.

Mr. Adams has been to companies where no-one had checked the firewall logs for months. Employees must be coached to become more aware of the potential for attack and follow procedures. Security should become a habit.

"Security is a mindset, just like locking the door to your home,'' he said.

Gavin Adams: Physical security is a misnomer